P
US12339965B2ActiveUtilityPatentIndex 56

Malware detection and content item recovery

Assignee: DROPBOX INCPriority: Dec 29, 2016Filed: Dec 28, 2022Granted: Jun 24, 2025
Est. expiryDec 29, 2036(~10.5 yrs left)· nominal 20-yr term from priority
Inventors:ARORA ISHITAMITYAGIN ANTONZHANG RAYKELLER SAMSern Stacey
G06F 21/568G06F 21/562G06F 21/563G06F 21/567G06F 2221/034G06F 8/71G06F 21/566
56
PatentIndex Score
0
Cited by
26
References
14
Claims

Abstract

Disclosed are systems, methods, and non-transitory computer-readable storage media for malware detection and content item recovery. For example, a content management system can receive information describing changes made to content items stored on a user device. The content management system can analyze the information to determine if the described changes are related to malicious software on the user device. When the changes are related to malicious software, the content management system can determine which content items are effected by the malicious software and/or determine when the malicious software first started making changes to the user device. The content management system can recover effected content items associated with the user device by replacing the effected versions of the content items with versions of the content items that existed immediately before the malicious software started making changes to the user device.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 identifying, by a content management system, a change set including change entries describing changes made at a client device to content contained in content items; 
 analyze, by the content management system, the change set based on one or more malware detection rules; 
 determining, by the content management system, a number of the change entries in the change set that satisfy at least one of the one or more malware detection rules; 
 based on the number of the change entries that satisfy at least one of the one or more malware detection rules, initiating, by the content management system, a scan of other change sets associated with the client device to determine whether the client device has malicious software; 
 during the scan of the other change sets associated with the client device, confirming, by the content management system, that the client device has the malicious software; 
 identifying, by the content management system, a target content item affected by the malicious software; 
 identifying, by the content management system, a first change entry in the other change sets corresponding to a first indication of the malicious software affecting the target content item; and 
 restoring, by the content management system, the target content item to a prior version predating the first change entry. 
 
     
     
       2. The method of  claim 1 , wherein the content management system is configured to apply the described changes to original versions of the respective content items to generate current versions of the respective content items. 
     
     
       3. The method of  claim 1 , further comprising:
 responsive to confirming that the client device has the malicious software during the scan of the other change sets, suspending synchronization of content items between the content management system and the client device. 
 
     
     
       4. The method of  claim 1 , wherein restoring, by the content management system, the target content item to the prior version predating the first change entry comprises:
 identifying, by the content management system, a target change set corresponding to the target content item; 
 identifying, by the content management system, a first subset of change entries predating the first change entry and a second subset of change entries succeeding the first change entry; and 
 applying, by the content management system, the first subset of change entries to an original version of the target content item to restore the target content item to the prior version of the target content item predating the first change entry. 
 
     
     
       5. The method of  claim 1 , further comprising:
 determining, by the content management system, that the malicious software has been removed from the client device; and 
 responsive to determining that the malicious software has been removed, resuming, by the content management system, synchronization of content items between the content management system and the client device. 
 
     
     
       6. A non-transitory computer readable medium comprising one or more sequences of instructions, which, when executed by one or more processors, causes a computing system to perform operations comprising:
 identifying, by a content management system, a change set including change entries describing changes made at a client device to content contained in content items; 
 analyzing, by the content management system, the change set based on one or more malware detection rules; 
 determining, by the content management system, a number of the change entries in the change set that satisfy at least one of the one or more malware detection rules; 
 based on the number of the change entries that satisfy at least one of the one or more malware detection rules, initiating, by the content management system, a remedial action to remove malicious software from the client device; 
 during the remedial action to remove malicious software from the client device, confirming, by the content management system, that the client device has the malicious software; 
 identifying, by the content management system, a target content item affected by the malicious software; 
 identifying, by the content management system, a first change entry in other change sets corresponding to a first indication of the malicious software affecting the target content item; and 
 restoring, by the content management system, the target content item to a prior version predating the first change entry. 
 
     
     
       7. The non-transitory computer readable medium of  claim 6 , wherein the content management system is configured to apply the described changes to original versions of the respective content items to generate current versions of the respective content items. 
     
     
       8. The non-transitory computer readable medium of  claim 6 , wherein initiating, by the content management system, the remedial action to remove the malicious software from the client device comprises:
 initiating a scan of other change sets associated with the client device to determine whether the client device has the malicious software. 
 
     
     
       9. The non-transitory computer readable medium of  claim 6 , wherein restoring, by the content management system, the target content item to the prior version predating the first change entry comprises:
 identifying, by the content management system, a target change set corresponding to the target content item; 
 identifying, by the content management system, a first subset of change entries predating the first change entry and a second subset of change entries succeeding the first change entry; and 
 applying, by the content management system, the first subset of change entries to an original version of the target content item to restore the target content item to the prior version of the target content item predating the first change entry. 
 
     
     
       10. The non-transitory computer readable medium of  claim 6 , wherein initiating, by the content management system, the remedial action to remove the malicious software from the client device comprises:
 suspending synchronization of content items between the content management system and the client device. 
 
     
     
       11. The non-transitory computer readable medium of  claim 10 , further comprising: determining, by the content management system, that the malicious software has been removed from the client device; and
 responsive to determining that the malicious software has been removed, resuming, by the content management system, synchronization of content items between the content management system and the client device. 
 
     
     
       12. A content management system comprising:
 one or more processors; and 
 a memory having programming instructions stored thereon, which, when executed by the one or more processors, causes the content management system to perform operations comprising:
 identifying, by the content management system, a change set including change entries describing changes made at a client device to content contained in content items; 
 analyzing, by the content management system, the change set based on one or more malware detection rules; 
 determining, by the content management system, a number of the change entries in the change set that satisfy at least one of the one or more malware detection rules; and 
 based on the number of the change entries that satisfy at least one of the one or more malware detection rules, initiating, by the content management system, a scan of other change sets associated with the client device to determine whether the client device has malicious software; 
 during the scan of the other change sets associated with the client device, confirming, by the content management system, that the client device has the malicious software; 
 identifying, by the content management system, a target content item affected by the malicious software; 
 identifying, by the content management system, a first change entry in the other change sets corresponding to a first indication of the malicious software affecting the target content item; and 
 restoring, by the content management system, the target content item to a prior version predating the first change entry. 
 
 
     
     
       13. The content management system of  claim 12 , further comprising:
 responsive to confirming that the client device has the malicious software during the scan of the other change sets, suspending synchronization of content items between the content management system and the client device. 
 
     
     
       14. The content management system of  claim 12 , wherein restoring, by the content management system, the target content item to the prior version predating the first change entry comprises:
 identifying, by the content management system, a target change set corresponding to the target content item; 
 identifying, by the content management system, a first subset of change entries predating the first change entry and a second subset of change entries succeeding the first change entry; and 
 applying, by the content management system, the first subset of change entries to an original version of the target content item to restore the target content item to the prior version of the target content item predating the first change entry.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.